|
|
|---|---|
|
|
|
|
|
如果只是到MagicJmp, 试试我这个脚本(注:不对付Anti),其它的自己来
 /* 可能是 arm4.xx 版以后双转单进程修 MagicJmp(简单方案那个MagicJmp)脚本 OS: OllyScript0.92,Ollydbg110_DIY版,忽略所有异常 */ dbh var MutexName var count var check var breakpoint var codebase var csize mov count,0 gmi eip, CODEBASE cmp $RESULT, 0 je err mov codebase, $RESULT gmi codebase, CODESIZE cmp $RESULT, 0 je err mov csize, $RESULT gpa "OpenMutexA", "kernel32.dll" bp $RESULT lab1: esto cmp eip, $RESULT jne lab1 mov MutexName, esp add MutexName, 0C mov MutexName,[MutexName] begin: exec PUSHAD PUSH {MutexName} PUSH 0 PUSH 0 CALL kernel32.CreateMutexA POPAD JMP kernel32.OpenMutexA ende bc $RESULT //Clear bp OpenMutexA// loop2: gpa "OutputDebugStringA", "kernel32.dll" bphws $RESULT, "x" mov breakpoint, $RESULT eob doc esto doc: cmp eip, breakpoint jne err inc count cmp count,2 // I just passed 2 times in one app jne loop2 cob gpa "GetModuleHandleA", "kernel32.dll" bphws $RESULT, "x" mov count,0 eob lab3 lab2: run lab3: cob cmp $RESULT,eip jne err rtu mov check,eip add check, 6 lab4: log check inc count log count cmp [check], A10E0489 // mov dword ptr ds:[esi+ecx],eax -> mov eax jne lab2 add check, 8 cmp [check], 75061C39 // cmp dword ptr ds:[esi+eax],ebx -> jnz jne lab2 add check, 18 cmp [check], A10E0489 // mov dword ptr ds:[esi+ecx],eax -> mov eax jne lab2 add check, 8 cmp [check], 0F061C39 // cmp dword ptr ds:[esi+eax],ebx -> je jne lab2 bphwc $RESULT // clear bp GetModuleHandleA add check, 3 bphws check, "x" // bp Magic Jmp cob eob lab5 run lab5: cmp eip,check jne lab6 mov !ZF,1 //Modify flag When broken in Magic Jmp run lab6: cob bphwc check // clear bp Magic Jmp cmp eip, breakpoint // OutputDebugStringA jne err bphwc breakpoint // clear //此处下面可退出脚本 gpa "GetCurrentThreadId","kernel32.dll" bp $RESULT run cmp eip, $RESULT jne err bc $RESULT rtu bprm codebase, csize run bpmc ret err: msg "Occurrence exception! and Terminal!" ret |
|
|
|
|
|
|
|
|
|
|
|
|
